The joys of data hygiene

Unfortunately, the article in the current edition of my favourite business newspaper The Economist in explaining the GDPR was riddled with errors. Tut tut!

Here’s an example: “Data Subjects can demand a copy of the data held on them (data portability) …” which as we all know is a subject access request (SAR) and isn’t an absolute right under the GDPR.

Another error in the article on GDPR is the bold assertion: “The GDPR is prescriptive about what organisations have to do to comply.”

Er, no it isn’t. Few bits go into detail, like the requirements for a data protection impact assessment (Art.35, GDPR) or a subject access request (Art. 15, GDPR).

The GDPR is a deliberate move away from a ‘tick-box’ approach of the Data Protection Directive 95/46/EC that it replaces and moves to a risk-based approach that is principles-driven, removing pre-notification requirements for processing and replacing these with the highest standards of data protection, privacy and security for the processing of personal data anywhere on the planet.

Also stating that old-chestnut that “the GDPR will stymie innovation in Europe” without referencing the outstanding work of Dr Ann Cavoukian over the past two decades that clearly puts to rest there doesn’t have to be a trade-off between privacy and innovation – it’s privacy AND innovation and it’s not a zero-sum game – is also wide of the mark.

Technology is moving so fast. And consumer trust needs to follow it. That’s why the law needed to be rebooted for the digital age.

That said, I do applaud The Economist for engaging in the privacy and data protection debate with such enthusiasm, even if it did make a few mistakes along the way!

According to Viktor Mayer-Schlonberger, Professor of Internet Governance and Regulation, at the Oxford Internet Institute, University of Oxford, the GDPR is “two faced”. It imposes costs but also structure.

This supports the economic case for a ‘clean sweep’ of the way in which companies and organisations process personal data and special categories of personal data as this can put into practice what Dr Ann Cavoukian conceived over two decades ago – ‘data protection by design and by default’ – which I like to call ‘GDPR in a box’ and covered in the GDPR Handbook, to be published shortly.

Whatever your point of view, what’s clear is that the GDPR is a game-changer – that it moves data protection from the backroom to the boardroom. “We’ll probably spend the next 20 years figuring out what it means to be compliant,” observes Eduardo Ustaran, partner at law firm Hogan Lovells.

The end game must be about deepening digital trust so that companies and organisations can do more – not less – with personal data.

It’s therefore vital that Data Controllers are prepared to comply with the GDPR but also re-boot their thinking about how they can prosper in this new regulatory environment.

“If your organisation can demonstrate that good data protection is a cornerstone of your business policy and practices, you’ll see a real business benefit,” concludes Elizabeth Denham, UK Information Commissioner.

To pre-order your copy of the GDPR Handbook – A Guide to Implementing the EU General Data Protection Regulation (£49.99), published by Kogan Page, click here